Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

Malicious PDFs Poison Google Search Results

A new SophosLabs report claims that malware-infected PDFs are influencing Google's search results.

Getting a top ranking in Google's search engine is supposed to be an organic task, with the best content ranking highest, but according to a new research report from security vendor Sophos, attackers are using cloaked PDF files to influence Google's search results. The cloaked files may include malware and links to malicious sites.

Maxim Weinstein, security adviser at Sophos, explained that SophosLabs researcher Jason Zhang first noticed the cloaked PDF files at the beginning of June. The PDF files are full of different words that are intended to help influence search engine ranking. Weinstein noted that some are related to foreign exchange and investment terms and lead to a binary trading broker.

"It's hard to know which exact keywords they are targeting, but the 'binary stock trading' topic stands out," Weinstein said.

Sophos' research indicates that the company has seen "hundreds of thousands" of unique PDFs that triggered a malware detection rule. Weinstein said that he didn't have a specific number he could share, but he emphasized that the hundreds of thousands of detections are happening per day.

Further reading

"That doesn't necessarily map one to one with high-ranked poisoned search results, but it does imply that the actors behind the campaign managed to get that many PDFs into circulation, via either malicious or compromised Websites," he said.

The cloaked PDFs aren't all necessarily loaded with malware either. Weinstein explained that the issue is not so much about malware in the PDFs as it is about malicious URLs that are included in the PDFs. That is, there is something about the URLs included in the cloaked PDFs that gives Sophos some reason to believe they have been, or will be, associated with malicious activity.

"The poisoning technique works by cross-linking the PDFs via embedding links to other URLs," Weinstein said.

In the binary trading search engine poisoning example, Weinstein said that Sophos didn't actually see any malware. That said, he added that Sophos has seen search poisoning used routinely in other instances to redirect users to malware, rather than to get-rich-quick schemes.

Sophos contacted Google prior to the disclosure to inform the company of the cloaked PDF risk. Weinstein said Sophos has a good working relationship with Google and felt it was important to reach out to the company before publicly discussing the issue.

Google did not respond to a request for comment from eWEEK by press time.

"I don't feel comfortable commenting on what Google should do, but I would expect Google will take this into account and make whatever changes it deems necessary to reduce the effectiveness of this type of poisoning," Weinstein said. "This would be consistent, for example, with Google's past behavior to limit the effectiveness of HTML-based poisoning."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.